Is it possible to restrict an auth domain to a given CIDR ?
This could for insance be used to prevent the kibanaserver user to use the REST API from outside the organization.
Or is there another way to achieve this ?

the problem with the kibana user is that it’s granted access from everywhere, while it only needs access from the box running kibana. I don’t want to have world accessible basic auth just because of an Elasticsearch/Kibana limitation